Skip to main content

Upload Pre Signed URL

Generates a presigned URL that allows temporary upload access to an S3 object without requiring AWS credentials.

Common Properties

  • Name - The custom name of the node.
  • Color - The custom color of the node.
  • Delay Before (sec) - Waits in seconds before executing the node.
  • Delay After (sec) - Waits in seconds after executing node.
  • Continue On Error - Automation will continue regardless of any error. The default value is false.
info

If the ContinueOnError property is true, no error is caught when the project is executed, even if a Catch node is used.

Inputs

  • Client Id - The client connection ID from the Connect node. Optional if using credentials directly.
  • Bucket Name - The name of the S3 bucket where the object will be uploaded.
  • Object Name - The key/name for the object to be uploaded, including any prefixes (folder path).
  • Expiration Second - The number of seconds until the presigned URL expires (e.g., 3600 for 1 hour).

Options

  • End Point - S3 endpoint URL. Required only if using credentials directly instead of Client ID.
  • Access Key Id - AWS Access Key ID credential. Optional - use this instead of Client ID for direct authentication.
  • Secret Key Access - AWS Secret Access Key credential. Optional - use this instead of Client ID for direct authentication.

Output

  • result - The query string portion of the presigned URL that can be used to upload an object.

How It Works

The Upload Pre Signed URL node generates a temporary, secure URL that allows anyone with the URL to upload a file to S3 without AWS credentials. When executed, the node:

  1. Retrieves the S3 client using either the Client ID or creates a new client from credentials
  2. Validates that the bucket name, object name, and expiration time are provided
  3. Generates a presigned PUT URL with the specified expiration time
  4. Returns the URL query string that can be used for uploading
  5. The URL grants upload permission only for the specified object and expires after the set time

Requirements

  • Either a valid Client ID from a Connect node, or Access Key ID and Secret Access Key credentials
  • A valid S3 bucket
  • Appropriate S3 permissions to upload objects (s3:PutObject)
  • The bucket must exist and be accessible with the provided credentials

Error Handling

The node will return specific errors in the following cases:

  • Empty or invalid bucket name
  • Empty or invalid object name
  • Invalid expiration time
  • Invalid Client ID or credentials
  • Bucket does not exist
  • Insufficient permissions to generate presigned URLs
  • Network or connection errors

Usage Notes

  • The presigned URL is valid only for the specified duration
  • After expiration, the URL cannot be used for uploads
  • The URL grants upload permission only - it cannot be used to download or delete
  • Anyone with the URL can upload to the specified object key
  • The upload will overwrite any existing object with the same key
  • No AWS credentials are required by the uploader
  • The URL is specific to the object name - different objects require different URLs
  • URL security depends on keeping the URL private

URL Expiration Guidelines

Recommended expiration times based on use case:

  • Short-term uploads (15-60 minutes): User form uploads, temporary file transfers
  • Medium-term uploads (1-24 hours): Batch processing, scheduled tasks
  • Long-term uploads (24+ hours): Rarely recommended due to security concerns

Best Practices

  • Use the shortest practical expiration time for security
  • Generate new URLs for each upload operation
  • Don't share presigned URLs publicly or in insecure channels
  • Monitor bucket activity for unauthorized uploads
  • Use HTTPS endpoints to protect URLs in transit
  • Implement additional validation in your application layer
  • Consider using bucket policies to restrict uploads
  • Log URL generation for audit purposes
  • Validate uploaded files after they're stored

Example

To generate a presigned URL for uploading a document:

Inputs:

  • Client Id: (from Connect node)
  • Bucket Name: user-uploads
  • Object Name: documents/user-123/report.pdf
  • Expiration Second: 3600 (1 hour)

Output:

X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...&X-Amz-Date=20240315T120000Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=...

This query string can be appended to the S3 endpoint URL to create a complete presigned URL.

Using the Presigned URL

The presigned URL can be used in several ways:

HTTP PUT Request:

// Using fetch API
const presignedUrl = `https://s3.amazonaws.com/user-uploads/documents/user-123/report.pdf?${result}`;

const response = await fetch(presignedUrl, {
  method: 'PUT',
  body: fileContent,
  headers: {
    'Content-Type': 'application/pdf'
  }
});

curl Command:

curl -X PUT "https://s3.amazonaws.com/bucket/object?${queryString}" \
  --upload-file local-file.pdf \
  -H "Content-Type: application/pdf"

HTML Form:

<form action="https://s3.amazonaws.com/bucket/object?${queryString}"
      method="post"
      enctype="multipart/form-data">
  <input type="file" name="file">
  <input type="submit" value="Upload">
</form>

Common Use Cases

User File Uploads Allow users to upload files directly to S3 from a web browser:

  1. Generate Presigned URL - Create upload URL for user
  2. Return URL to Client - Send URL to web browser
  3. Client Uploads - User uploads file using the URL
  4. Verify Upload - Confirm file was uploaded successfully

Third-Party Integration Allow external systems to upload files without sharing AWS credentials:

  1. API Request - External system requests upload URL
  2. Generate Presigned URL - Create temporary upload URL
  3. Return URL - Send URL to external system
  4. Upload - External system uploads file

Temporary Upload Portal Create time-limited upload access for partners or clients:

  1. Generate URLs - Create presigned URLs for specific objects
  2. Share URLs - Send URLs via email or portal
  3. Monitor - Track when uploads occur
  4. Expire - URLs automatically expire after set time

Batch Upload Preparation Prepare multiple upload URLs for batch operations:

  1. Loop - For each file to upload:
    • Generate Presigned URL - Create URL for object
    • Store URL - Save URL for later use
  2. Distribute URLs - Share URLs with upload workers
  3. Parallel Upload - Multiple uploads happen concurrently

Security Considerations

URL Protection:

  • Treat presigned URLs like temporary passwords
  • Use HTTPS to prevent URL interception
  • Don't log or expose URLs in client-side code
  • Implement rate limiting on URL generation
  • Monitor for URL abuse or unusual upload patterns

Upload Validation:

  • Validate file types and sizes on the client side
  • Implement server-side validation after upload
  • Use S3 bucket policies to restrict file types
  • Scan uploaded files for malware
  • Verify uploader identity before generating URLs

Dynamic Object Names

Generate URLs with dynamic object names based on user or session:

const userId = 'user-123';
const timestamp = Date.now();
const objectName = `uploads/${userId}/${timestamp}/document.pdf`;

Inputs:

  • Object Name: (constructed dynamically)
  • Expiration Second: 1800 (30 minutes)

Direct Credentials Example

Inputs:

  • Bucket Name: application-uploads
  • Object Name: temp/upload-${Date.now()}.zip
  • Expiration Second: 7200 (2 hours)

Options:

  • End Point: s3.us-east-1.amazonaws.com
  • Access Key Id: (your AWS Access Key ID credential)
  • Secret Key Access: (your AWS Secret Access Key credential)

Complete Upload Flow

  1. Generate Presigned URL - Create upload URL
  2. Return URL - Send URL to client/user
  3. Client Upload - File uploaded using PUT request
  4. Verify - Check if object exists using Get Object
  5. Process - Perform any post-upload processing

Multi-Part Upload Consideration

Note: This node generates URLs for simple PUT uploads. For large files (over 5GB) or multi-part uploads, you'll need to:

  • Split files into parts
  • Generate separate presigned URLs for each part
  • Use S3 multi-part upload API

For most use cases, simple PUT uploads work well for files up to 5GB.

Expiration Time Examples

  • 300 seconds (5 minutes): Quick form submissions
  • 1800 seconds (30 minutes): Standard file uploads
  • 3600 seconds (1 hour): Larger file uploads
  • 7200 seconds (2 hours): Batch uploads
  • 86400 seconds (24 hours): Maximum recommended for security

Common Errors

Error: "NoSuchBucket: The specified bucket does not exist"

  • Solution: Verify the bucket name is correct and exists

Error: "Access Denied"

  • Solution: Ensure your credentials have s3:PutObject permission

Error: "Invalid Client ID"

  • Solution: Verify the Client ID from the Connect node is correct

Error: "Empty or invalid expiration time"

  • Solution: Provide a valid positive integer for expiration seconds

Monitoring Uploads

After generating presigned URLs, monitor actual uploads:

  1. Generate URL - Create presigned URL
  2. Wait - Allow time for upload
  3. Check Object - Use Get Object to verify upload
  4. Log - Record successful/failed uploads

URL Lifecycle

  1. Generation: Presigned URL created with expiration time
  2. Active Period: URL can be used for uploads
  3. Expiration: URL becomes invalid after expiration time
  4. Post-Expiration: Upload attempts fail with signature errors